AOL Ditches Security Tokens To Make Logging In Easier

Share

AOL Ditches Security Tokens To Make Logging In Easier

AOL customers who sprang for the company's $10 "PassCode" security token to harden their account can get ready to toss their fancy crypto-numeric keyfobs in the same landfill as all those CD-ROMs AOL mailed them in the 1990s.

As the Virginia-based company prepares for its December 10 spin off from Time Warner, it's telling customers that it will no longer support RSA's SecurID tokens, which it began offering as an optional extra in 2004. AOL drew accolades from security types at the time, for what was ballyhooed as the first broad consumer deployment of two-factor authentication.

SecurID adds an extra layer of protection to the login process by requiring users to enter a secret code number displayed on the keyfob, or in a software emulation, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

But AOL explains that this move away from higher security is all about speed and convenience.

"We're writing to inform you that in the coming days, use of SecurID for your AOL or AIM account will be discontinued," the company wrote in an e-mail to users. "'Two-step authentication' will no longer be required to sign in, which should make it faster and easier for you to access your e-mail account and any websites that prompt for the SecurID number."

Customers who wanted the extra security paid a one-time $9.95 and an additional $1.95-a-month. Which means AOL's move will make logging in faster, easy ... and cheaper – the customer service Trifecta!

"We feel that users can have a better experience without sacrificing their security, and we've offered assistance in creating passwords that follow recognized protocols for complexity and measures to guard against online threats and hackers," the company said in a statement.

RSA, maker of SecurID, says it will barely notice the loss of AOL. After an initial flood of requests in 2004, shipments to AOL users have trickled off, even as the technology has enjoyed inroads in arguably more important applications like electronic banking. RSA now has 40 million customers carrying SecurID hardware tokens, the company says, and another 250 million using software.

HBOS, Banco Itau and Credit Suisee are among the financial institutions that offer SecurID to online banking customers. The technology's use in online banking has forced hackers to craft special malware to intercept the ever-changing passcodes in real time on compromised Windows machines, where before they could capture passwords and use them at their leisure.

It's possible that AOL customers just weren't the right fit for the fobs, says Sam Curry, a president of product management at RSA.

"If the end user is going through difficulty of use ... for something that's of relatively little value to them like e-mail, then there's little point," says Curry. "So the trade-off may not make sense for users of AOL."

Former hacker and AOL trufan Adrian Lamo says a small number of "white glove" customers – mostly celebrities – are being allowed to continue using SecurID to protect their accounts, a claim that's supported by AOL's website. But based on what he says is inside information, Lamo worries the company also plans to jettison SecurID from its internal, back-end systems and VPN – potentially bad news given the amount of hacking AOL suffered before it introduced the system.

"I'm upset that people who have had screen names for 20 ... years are going to risk losing them," he wrote in an IM interview.